A simple guide to cookies and how to comply with EU cookie law

From 26 May, UK websites are required by law to comply with the EU "Cookie Law" which means that companies must gain the consent of web users before serving them web cookies. The problem is, most people don't really understand what cookies are and how they are being used already.

According to a study by PWC from 2011, just 13 percent of people fully understand how web cookies work and 45 percent had "some understanding" of them. Meanwhile a KPMG study reveals that 95 percent of websites aren't yet compliant with the EU's new law. While we are confident that Wired.co.uk readers are highly likely to understand how cookies generally work, we recognise that most of us have friends, family members and associates who may not. As such, we've created a simple guide to cookies, the EU "Cookie Law" and how to comply with it.

What is a cookie? A cookie is a very simple text file that gets downloaded onto your PC when you visit a website. They generally contain two bits of information: a site name and a unique user ID. Once the cookie is on your computer, the site "knows" that you have been there before and can then use that knowledge to tailor the experience that you have. The vast majority of commercial websites -- be they major online publishers, banks or ecommerce sites -- will use them.

Advertisement

What are they used for? Cookies are used for many different functions including auto-filling forms, counting visitors, storing shopping basket items, personalising content, targeting advertising, recording user preferences and for authentication and security.

How many cookies do sites drop? According to a UK study by Trust-e, the average website has 14 cookies per page.

Read next

NHS ransomware 'hero' allowed back online ahead of US trial

ByMatt Burgess

Roughly 32 percent of these come from the website owner and 68 percent come from third party companies, which could be analytics companies or companies that deliver advertising.

What is the so-called "Cookie Law"? The "Cookie Law" stems from a modification to the EU Privacy and Electronic Communications Directive, which took place in November 2009. It aims to safeguard privacy online and protect web users from unwanted marketing. Cookies can be used to build up a profile of where you have been and how you have behaved online. The law aims to make sure that any company seeking to collect information about a web user must ask for their consent first. Prior to this modification, websites had to allow people to opt out of cookies. Now they have to opt in to all "non-essential" cookies. The law was imported into UK law in May 2011, but UK companies were given one year to comply. The deadline for compliance is 26 May, 2012.

Advertisement

Who needs to comply with it? The law applies to all member states of the European Union. Websites outside of the EU must comply with the law if they are targeting people within member states. So a website based in the USA that sells to people in the UK will also have to comply.

So what is an "essential" cookie? The wording in the directive is broad, but the regulations specify that if cookies are necessary for carrying out or facilitating the transmission of a communication or is "strictly necessary" for providing an "information society service" requested by the user. Cookies likely to be deemed essential are those used for the shopping basket and checkout, those that provide security for online banking services and those that help ensure that your page loads quickly by distributing the workload.

What is a non-essential cookie?

Read next

Creating a drone register is easy, enforcing it is much harder

ByMatt Burgess

Any cookies used for analytical purposes to count the number of visitors to a website, any cookies used by first party or third party advertisers, including affiliates, and cookies used to recognise the user when they return to a website so they receive a tailored greeting or optimised landing page. These are the cookies being targeted by the new EU legislation.

Advertisement

Is this just about cookies? The wording of the law talks about "local browser storage" and applies not just to cookies but to technologies that behave in a similar way, such as local shared objects (referred to as "flash cookies"), web beacons or web bugs.

How do I know if the website I operate uses cookies? If you have any advertising or analytics tools you are likely to be serving cookies. However, if you want to find out exactly what cookies your site serves, there are a number of cookie audit tools that allow you to do this. Firefox has an extension called View Cookies, but there are other tools including the Attacat Chrome extension, Trust-e's cookie tracker and Tagcert. It's worth clearing your browser cookies before you do this. Remember that not all cookies are bad cookies -- some of them may be "strictly necessary" (see above).

How do sites comply with the Cookie Law from 26 May? Technically, from 26 May, sites must gain the consent of their web users for placing non-essential cookies on their computers. The definition of consent is open to interpretation, but must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, dismissing a banner, sending an email or subscribing to a service.

What happens if sites don't comply? Technically, the maximum penalty for not complying is £500,000 for cases where there is a deliberate breach of the law that causes substantial distress. There are also smaller penalties such as being sent an information notice or an enforcement notice.

However, this will be an incredibly difficult law to police and enforce as it affects so many sites.